Re: [hybi] New Version Notification for draft-mcmanus-httpbis-h2-websockets-01.txt from Martin Thomson on 2017-10-27 (ietf-http-wg@w3.org from October to December 2017)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 27 Oct 2017 16:01:27 +1100
To: Mark Nottingham <mnot@mnot.net>
Cc: John Fallows <john.fallows@kaazing.com>, Patrick McManus <pmcmanus@mozilla.com>, hybi <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnVPfQerwZCSoqxr6CqNFYFHk1F=v=cobuXJ6LUndfRJkg@mail.gmail.com>

On Fri, Oct 27, 2017 at 10:39 AM, Mark Nottingham <mnot@mnot.net> wrote:
> Just to give some context as to why I don't think it's a subtle change -- consider OWASP's mod_security CRS, which is the basis of most WAF products. It has baked-in assumptions about the semantics of CONNECT; e.g.,
>   <https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/e4e0497be4d598cce0e0a8fef20d1f1e5578c8d0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf>

I found this message quite obtuse (and that file worse), but what I
think you are saying is that an origin server might treat CONNECT
specially in a way that might make a new method easier to deploy.
That's a fine argument for a new method.

Received on Friday, 27 October 2017 05:01:51 UTC